b'              MEMORANDUM ADVISORY REPORT\n         SBA NEEDS TO IMPLEMENT A VIABLE SOLUTION\n    TO ITS LOAN ACCOUNTING SYSTEM MIGRATION PROBLEM\n\n                      AUDIT REPORT NUMBER 05-29\n\n                           SEPTEMBER 30, 2005\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18\n USC 1905 and must not be released to the public or another agency without\n                permission of the Office of Inspector General.\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n                                WASHINGTON, D.C. 20416\n\n\n                                                            MEMORANDUM ADVISORY\n                                                                  REPORT\n                                                         Issue Date: September 30, 2005\n                                                         Number: 05-29\n\nTo:               Stephen D. Galvan,\n                  Acting Deputy Administrator\n\n                  Michael W. Hager,\n                  Associate Deputy Administrator\n                  Office of Capital Access\n\n                  Charles McClam\n                  Acting Chief Information Officer\n\n                  /S/ Original Signed\nFrom:             Robert G. Seabrooks\n                  Assistant Inspector General for Audit\n\nSubject:          SBA needs to Implement a Viable Solution to its Loan Accounting System\n                  Migration Problem\n\n       This report alerts you to the serious and significant problems confronting SBA\nand the need for more effective actions relating to the migration, enhancement or\nreplacement of SBA\xe2\x80\x99s Loan Accounting System. SBA reviewed a draft of this report and\ngenerally agreed with its findings and recommendations. SBA\xe2\x80\x99s complete response is\nincluded as appendix \xe2\x80\x9cA\xe2\x80\x9d to this report.\n\n                                         BACKGROUND\n\n       SBA\xe2\x80\x99s Loan Accounting System (LAS) has been in existence since the 1970\xe2\x80\x99s.\nWhile state-of-the-art when designed, the application environment now adversely impacts\nthe SBA\xe2\x80\x99s ability to rapidly meet the expanding requirements of current and future\nbusiness needs. The LAS includes 19 subsystems and serves as the principal data\nprocessing and data collection tool for SBA\xe2\x80\x99s loan servicing, loan monitoring and loan\naccounting processes. In Fiscal Year (FY) 2004, the SBA LAS serviced a loan portfolio\nwhich totaled approximately $60 Billion.1\n\n\n1\n    SBA Performance and Accountability Report FY2004, page 75\n\x0c        While multiple assessments and feasibility studies have been completed with the\nobjective of pointing out the need for enhancing or replacing LAS, a definitive migration\nstrategy or replacement approach has not been developed and adopted by the SBA.\nRecently, the risks of not implementing an effective short-term and long-term migration\nor replacement solution have increased due to the following factors.\n\n   \xe2\x80\xa2   SBA\xe2\x80\x99s contract with Unisys Corporation to provide outsourced services for LAS\n       will expire effective on February 17, 2007.\n\n   \xe2\x80\xa2   On January 24, 2005, the Office of Chief Information Officer (OCIO) was\n       informed by the General Services Administration that the existing Unisys contract\n       could not be extended beyond its current term.\n\n   \xe2\x80\xa2   On December 10, 2004, OCIO presented to SBA\xe2\x80\x99s Business Technology\n       Investment Council (BTIC) a series of migration options for LAS. As the OCIO\n       proposal noted SBA \xe2\x80\x9c is faced with a clear decision; is there an action that can be\n       taken to eliminate the reliance on the mainframe prior to the end of the current\n       contract term, or should OCIO immediately begin the process of procuring a\n       replacement for the existing Unisys contract.\xe2\x80\x9c Migration activities, estimated at\n       367 days in the OCIO December, 2004 plan were anticipated to start on May 2,\n       2005, after vendor procurement activities were completed.\n\n   \xe2\x80\xa2   A Request for Information (RFI) was issued June 30, 2005; alternative solutions\n       will be considered by the BTIC during the week of August 15, 2005.\n\n                  OBJECTIVES, SCOPE AND METHODOLOGY\n\n       The objective of this review was to evaluate whether SBA\xe2\x80\x99s plans and controls\nare working effectively to address issues related to migrating from its legacy mainframe\nUnisys Clearpath 2200 operating system. The need for change comes from at least two\nmajor risks:\n\n           \xe2\x80\xa2   Application and technology risk \xe2\x80\x93 OCIO noted in its December 2004\n               proposal, \xe2\x80\x9cthe existing mainframe applications support the mission of the\n               SBA but there are several significant drawbacks of the current platform\n               including extremely high-cost, obsolete technology, and serious security\n               holes that cannot easily be addressed. The applications are COBOL based\n               and have been in existence for up to 30 years.\xe2\x80\x9d\n\n           \xe2\x80\xa2   Contracting and cost risk \xe2\x80\x93 GSA has informed the SBA the existing task\n               order cannot be extended. Therefore, it is likely that maintaining the\n               status quo will require the SBA to negotiate a custom agreement. This\n               custom agreement may significantly limit SBA\xe2\x80\x99s optimal contracting\n               leverage, thereby potentially impacting service levels and increasing\n               operating costs.\n\n\n\n                                            2\n\x0c       The scope of our review included an examination of FY 2005 Business\nTechnology Investment Council (BTIC) minutes, the OCIO Mainframe Migration plan\ndated December 2004, proposal and contracting documents, interviews with selected\nSBA personnel. We performed our review during May to July 2005.\n\n                                       REVIEW RESULTS\n\n       The results of our review identify that the LAS remediation project requires\nintervention and oversight from the highest levels of SBA up to and including the Acting\nDeputy Administrator.\n\nFinding 1:         The Loan Accounting System Needs Immediate Attention by all\n                   Aspects of SBA\n\n        SBA needs to immediately develop and deploy an effective LAS migration or\nmodernization plan. As noted in the SBA\xe2\x80\x99s strategic systems plan \xe2\x80\x9cThe single biggest\nchallenge facing the SBA is the modernization of the loan accounting process, where the\nLoan Accounting System is the central hub. This mainframe-based system has been in\nplace for approximately 30 years and significantly contributes to the amount of manual\nprocesses in place.\xe2\x80\x9d 2 A major impediment to making needed changes is that LAS is\n\xe2\x80\x9cowned\xe2\x80\x9d by multiple SBA Offices including: Office of Financial Assistance, Office of\nDisaster Assistance, Office of Field Operations and the Office of Chief Financial Officer.\nThese multiple SBA Offices have disparate organizational goals and objectives, making\nprioritization and implementation of remediation efforts both untimely and challenging.\nAs a result, the LAS migration or modernization project requires intervention and\noversight from senior management, such as the Acting Deputy Administrator.\n\n        The OCIO Strategic Plan indicated that OCIO will work with the entire Agency to\ndesign a more integrated solution that provides increased functionality throughout the\nloan lifecycle, as well as more robust and user-friendly capability. This will streamline\nthe process by providing more automation throughout the process, reducing data entry\nredundancies, and allowing real-time updates and inquiry of loan data.\n\n        Further, SBA\xe2\x80\x99s Loan Accounting System presents substantial risk to the Agency.\nThis was reported in the KPMG Legacy Application Report issued on May 22, 2002,\nmore than three years ago. That report noted that SBA has a substantial risk related to the\nage of the systems [the LAS] and the age of the work force that supports it. It also faces\nan increasingly shrinking window of opportunity for completing systems modernization\nefforts. The core transaction systems operating on the mainframe are inflexible and\nprovide an end-user interface that is both difficult to navigate and difficult to\ncomprehend.\n\n       The KPMG Legacy Application Report also stated that the SBA Loan Accounting\nSystem is outdated. The application portfolio is largely made up of systems and\ntechnology that are dangerously close to the end of their expected useful life. Very few\n2\n    SBA IT Strategic Plan, Page 35, Document Date \xe2\x80\x93 September 2004\n\n\n                                                   3\n\x0cof the systems are compliant with the SBA Information Technology Architecture (ITA);\nit is not likely that the older technologies or the systems that are built on them can be\ncost-effectively modernized to the point that they could play a meaningful long-term role\nin a new LAS.\n\n       The Clinger-Cohen Act (44 USC 3506) requires Agencies to:\n       \xe2\x80\xa2 Assume responsibility and accountability for information technology\n          investments,\n       \xe2\x80\xa2 Assume responsibility for maximizing the value and assessing and managing\n          the risks of major information systems initiatives through a process that is \xe2\x80\x93\n              o Integrated with budget, financial, and program management decisions;\n                  and\n              o Used to select, control, and evaluate the results of major information\n                  systems initiatives.\n\n       According to the SBA Information Technology Investment Management Guide\n(ITIM), the Business Technology Investment Council (BTIC) is SBA\'s top tier review\nboard. The BTIC is responsible for reviewing and making decisions on all major IT\ninvestments, including screening, scoring, and prioritizing new initiatives, monitoring\nongoing investments, and evaluating implemented investments. In addition, BTIC\nprovides recommendations for Agency-wide IT investment strategies and improves upon\nthe overall ITIM process.\n\n        From a review of IT proposals Capital Asset Plans (CAP) submitted by SBA\nsince the KPMG Legacy Application Report was finalized in 2002, there has been no\nproposal submitted and adopted by the SBA for migrating, modernizing or replacing\nLAS. This includes CAPs preliminarily approved for FY 2007 which are due to be\nsubmitted to OMB in September 2005.\n\n        SBA has internally discussed moving off the legacy mainframe as identified in\nBTIC minutes in 2004 and 2005. However, due to the fragmented ownership of LAS and\nthe inability of the individual SBA offices which have a vested interest in LAS to act in\nconcert to submit a timely and comprehensive proposal for either migrating off LAS,\nupdating its components or planning for eventual system retirement, a viable solution has\nnot been determined. Therefore, we believe that SBA has not been fully responsive to its\nduties as defined within 44 USC 3506 in planning for the replacement or upgrading of the\nexisting LAS legacy system since the KPMG Legacy Application Report was published\nin 2002.\n\nRecommendations:\n\nWe recommend that the Acting Deputy Administrator:\n\n1.A    In coordination with affected component offices of the Agency, adopt a plan to\n       expedite the migration or modernization of SBA\xe2\x80\x99s Loan Accounting System off\n       the current UNISYS legacy mainframe and make this the highest priority of the\n\n\n\n                                            4\n\x0c       SBA going forward using good project management practices and financial\n       management of the project.\n\n1.B    Ensure the adopted migration or modernization plan for the SBA Loan\n       Accounting System include such budgets and resources to ensure success of the\n       project and if possible, be included in the FY 2007 Capital Asset Plan submission\n       to OMB and Congress.\n\nManagement Comments\n\n      In SBA\xe2\x80\x99s response, SBA fully concurred with the finding and both\nrecommendations to this report (see attachment A for SBA\xe2\x80\x99s full response).\n\nEvaluation of Management\xe2\x80\x99s Comments\n\n       SBA comments were responsive to the recommendations.\n\nFinding 2:     Ownership of the Loan Accounting System is not Defined Clearly\n               which has Compounded Risks and Slowed Replacement Efforts\n\n        According to the OIG Report 4-18 issued on April 5, 2004 finding #2,\n\xe2\x80\x9cOwnership of LAS does not accurately reflect the offices which actually own the\nsystem. SBA security documentation identified that SBA\xe2\x80\x99s Chief Financial Officer owns\nand has overall responsibility for LAS. This occurred because ownership of LAS was\ninappropriately designated to the Chief Financial Officer in March of 2001. As a result,\noperational units within SBA including the Office of Chief Information Officer (OCIO),\nOffice of Capital Access, Office of Field Operations, Office of Disaster Assistance and\nthe Office of Chief Information Officer do not currently have a formal direct stake in the\noperations, risks and capabilities of LAS. Since responsibilities have not been\nappropriately designated, coordination between SBA offices for changes to the LAS\nenvironment is therefore, not effectively administered.\xe2\x80\x9d\n\n        OMB Circular A-130, Appendix 3, Section B.3.4. requires that for major\napplications, a management official shall provide written authorization for use after\nconfirming that its security plan as implemented adequately protects the application.\nManagement authorization implies accepting the risk of each system used by the\napplication. Additionally, SBA\xe2\x80\x99s System Development Methodology (SDM) requires the\nestablishment of a Change Control Board (CCB) for all new application projects.\n\n        SBA was supposed to implement a CCB for LAS on January 1, 2005. The CCB\nis supposed to represent all offices with a direct stake in LAS operations and act as a\nvoice in ensuring the continuance of the system. We are not making any\nrecommendations since recommendation 2.B for report 4-18 has not yet been\nimplemented. However, we note that with the multi-tiered ownership of LAS, no\nproposal for replacing LAS was submitted to the BTIC in either FY 2003 or FY 2004.\n\n\n\n\n                                            5\n\x0cAdditionally, no proposal is pending for replacing LAS in the FY 2005 submission to\nOMB.\n\nFinding 3:       Other Alternative Replacements to the Loan Accounting System could\n                 be Less Expensive to Operate in the Long-Term\n\n        The \xe2\x80\x9cMainframe Migration Business Case Analysis\xe2\x80\x9d issued by the OCIO on\nDecember 10, 2004, identified that the base operations of the Legacy Mainframe were\n$40.1 million over five years. This compared with migrating to a less expensive platform\nwith a five year cost of $23.7 million. This would equate to a five year projected savings\nof $16.4 million if the OCIO Mainframe Migration Business Case estimated costs prove\nto be accurate.\n\n      Some alternatives that were not mentioned or included with estimated costs in the\nMainframe Migration Business Case Analysis included:\n\n      \xe2\x80\xa2   Fully replacing and retiring legacy applications with more modern applications or\n          business logic based upon updated architectures as the more modern systems\n          come on-line within SBA. As an example, from our audit on the legacy Loan\n          Application Tracking System (LATS) (OIG Report 4-18), SBA identified that it\n          would fully replace LATS with its Electronic Transaction (ETRAN) system in\n          July 2005. Therefore, there should be no reason to continue LATS after July\n          2005.\n\n      \xe2\x80\xa2   Exploring the costing out of specific Information Technology (IT) services of the\n          mainframe system per subsystem and the SBA Office that requires it \xe2\x80\x93 that is, if\n          one SBA office insists that it needs a subsystem of the legacy mainframe, use\n          accounting principles to charge that specific SBA office for services that only it\n          uses on the UNISYS mainframe system. Otherwise, utilize updated architectures\n          and rework on-line analytical processing tools to support the requirements of the\n          various SBA offices.\n\n      \xe2\x80\xa2   Utilize the 1999 Booz, Allen and Hamilton \xe2\x80\x93 Loan Monitoring System Business\n          Process Reengineering study as a beginning to updating the work processes\n          around the SBA legacy systems. While SBA\xe2\x80\x99s Office of Lender Oversight and\n          Guaranty Purchase Center have changed a number of operations since 1999, the\n          underlying systems which support SBA remain very similar to the ones which\n          existed six years ago.\n\nRecommendations:\n\n3.A       We recommend that the Chief Information Officer in conjunction with OCFO\n          explore the feasibility of charging each individual office for legacy applications\n          which only those offices use when newer and more economical alternate\n          computing capabilities exist.\n\n\n\n\n                                                6\n\x0c3.B       We recommend that the Chief Information Officer and any potential LAS\n          modernization project review the 1999 Booz, Allen and Hamilton \xe2\x80\x93 Loan\n          Monitoring System Business Process Reengineering study and other materials\n          from the previous Systems Modernization Initiative project as a beginning to\n          updating the work processes around the SBA legacy systems.\n\nManagement Comments\n\n        Officials from SBA\xe2\x80\x99s OCIO did not provide formal management comments to\nthis report, but met with us on September 9, 2005. OCIO had the following comments in\nresponse to our draft report:\n\n      \xe2\x80\xa2   OCIO requested that we remove converting SBA\xe2\x80\x99s business logic to existing\n          Sybase Data Base Management Structures (DBMS) or future Oracle DBMS\n          structures and making the Electronic Loan Information Processing System\n          (ELIPS) the master loan DBMS. OCIO identified that the existing mainframe\n          business logic is extremely complex and could not be easily converted.\n          Additionally, the ELIPS is in reality a data warehouse for OCFO.\n      \xe2\x80\xa2   OCIO identified that SBA had decided that a project would be undertaken\n          Agency-wide which would be headed by one of the major ownership offices. In\n          this project the owners would identify their business processes, identify what\n          processes were necessary and have technology work to meeting those process\n          needs to develop a new system.\n      \xe2\x80\xa2   OCIO further identified that SBA had decided to issue a Charter for implementing\n          a newer system whereby one of the ownership offices would lead the group. SBA\n          decided that Office of Capital Access would lead the effort. A representative\n          from OCIO would be there to assist in a business process reengineering study\n          (BPR) to ensure that the business processes could be transported to a technology\n          solution.\n      \xe2\x80\xa2   OCIO would continue to modernize the \xe2\x80\x9clow-hanging-fruit\xe2\x80\x9d of mainframe\n          modules. They would replace modules one-at-a-time if possible.\n      \xe2\x80\xa2   OCIO agreed with recommendation 3.A (the draft recommendation 3.B) as stated.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\n        SBA comments were responsive to the recommendations. We modified finding\n3, eliminated the former recommendation 3.A and added a new recommendation 3.B.\nThese changes reflect that SBA verbally informed us that they had selected a business\nprocess reengineering project for updating its business processes.\n\nFinding 4:       The Loan Accounting System does not have Adequate Security to\n                 Protect the Information within the System\n\n       SBA has a number of serious security weaknesses which it has either accepted or\ncannot successfully address within its current mainframe environment due to budget\nconstraints or the abilities of the mainframe system to secure these issues. These security\n\n\n                                             7\n\x0cweaknesses were estimated to cost $3.6 million to correct in SBA\xe2\x80\x99s Mainframe Migration\nReport issued in December 2004. As a result, SBA\xe2\x80\x99s main mission critical information is\nat risk of exposure, or misuse due to a potential lack of confidentiality or integrity within\nthe LAS system.\n\n        OMB Circular A-130 Security of Automated Information Resources identifies\nadequate security as security commensurate with the risk and magnitude of harm\nresulting from the loss, misuse, or unauthorized access to or modification of information.\n\n        The Clinger \xe2\x80\x93 Cohen Act 44 USC 3506 requires that with respect to privacy and\nsecurity each Agency shall implement and enforce applicable policies, procedures,\nstandards, and guidelines on privacy, confidentiality, security, disclosure and sharing of\ninformation collected or maintained by or for the agency.\n\n        The following security weaknesses which are not in compliance with SBA\xe2\x80\x99s SOP\n90-47 on Computer Security have been identified for the Eagan Mainframe or LAS by\neither SBA\xe2\x80\x99s Risk Assessment or OIG audits:\n1.     [FOIA Ex. 2]\n\n\n2.     No data checking was performed including:\n       \xe2\x80\xa2   Event checking which ensures that data input is valid and that the LAS\n           database was updated correctly, and\n       \xe2\x80\xa2   Data checking which identifies if data is altered prior to update cycle.\n\n       SBA\xe2\x80\x99s estimated cost in its POA&M to repair or mitigate this vulnerability within\n       the current platform is $360,000 and would not fully address all aspects of the\n       vulnerabilities identified.\n3.     [FOIA Ex. 2] SBA\xe2\x80\x99s estimated cost in its POA&M to repair or mitigate this\n       vulnerability within the current platform is $845,000.\n4.     Access controls were not implemented in the relational database system. SBA\xe2\x80\x99s\n       estimated cost in its POA&M to repair or mitigate this vulnerability within the\n       current platform is $500,000.\n5.     [FOIA Ex. 2] SBA\xe2\x80\x99s estimated cost in its POA&M to repair or mitigate this\n       vulnerability within the current platform is $125,000.\n6.     LAS did not perform auditing features including:\n       \xe2\x80\xa2   [FOIA Ex. 2]\n\n       SBA\xe2\x80\x99s estimated cost to repair or mitigate these vulnerabilities in its POA&M is\n       $760,800 and would not fully address all aspects of the vulnerabilities identified.\n\n\n\n\n                                              8\n\x0c7.     Documentation for system and program changes was outdated, and\n       documentation supporting tests of program changes was inadequate. Specifically,\n       user and programmer test plans and results are not documented to demonstrate\n       that programs are properly tested and approved prior to being placed in operation.\n       Compliance is not enforced, because control procedures do not exist to ensure that\n       documentation is being updated and maintained.\n       In answering OIG audit 5-12 on Information System Controls for FY 2004, SBA\n       recently estimated that the partial cost of updating documentation for LAS to a\n       reasonable level would be over $1.1 million and would not fully correct all system\n       documentation issues.\n       All six items have been identified in OIG audits and risk assessments of SBA\xe2\x80\x99s\n       LAS mainframe system going back to FY 2001. SBA responded to our FISCAM\n       audit 01-12 issued on July 2, 2001 that for systems that have been frozen and are\n       due for retirement [LAS], we consider it an unwise investment in resources to\n       update documentation. However, with the LMS redirection in May 2001, SBA\n       has identified no concrete plans to replace LAS with either an updated platform or\n       make the investments needed to correct the security and system vulnerabilities\n       within the current system. These security and system vulnerabilities make LAS\n       unsustainable over the long-term and create operational risk to the Agency.\nRecommendation:\n\n4.A    We recommend that the SBA Chief Operating Officer take concrete steps to\n       improve the computing environment and potentially eliminating the security\n       vulnerabilities identified for its legacy mainframe operating system.\n\nManagement Comments\n\n       SBA fully concurred with the finding and both recommendations to this report.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\n       SBA comments were responsive to the recommendations.\n\n                                        ***\n       The findings included in this report are the conclusions of the Auditing Division\nbased upon the auditors\xe2\x80\x99 review of SBA\xe2\x80\x99s Loan Accounting System and applicable\nplanning and contract documents. The findings and recommendations are subject to\nreview and implementation of corrective action by your office following the existing\nAgency procedures for audit follow-up and resolution.\n\n       This report may contain proprietary information subject to the provisions of 18\nUSC 1905. Do not release to the public or another agency without permission of the\nOffice of Inspector General.\n\n\n\n\n                                            9\n\x0c       Should you or your staff have any questions, please contact Jeffrey R. Brindle,\nDirector, Information Technology and Financial Management Group, at (202) 205-\n[FOIA Ex. 2].\n\n\n\n\n                                           10\n\x0c                                                                                    APPENDIX A\n\n\n\n                                   U.S. SMALL BUSINESS ADMINISTRATION\n                                         WASHINGTON, D.C. 20416\n\nOFFICE OF THE ADMINISTRATOR\n\n\n\n                                                                               Sep 30 2005\n\n            TO:               Peter McClintock\n                              Acting Inspector General\n\n                              /S/ Original Signed\n            FROM:             Stephen D. Galvan\n                              Acting Deputy Administrator and Chief Operating Officer\n\n            SUBJECT:          Response to OIG LAS Memorandum Advisory Report\n\n\n            In its August 18, 2005 report on SBA\xe2\x80\x99s Loan Accounting System (LAS), the OIG alerted\n            the Agency to "serious and significant" problems with the LAS and the need for more\n            effective action to immediately develop and deploy an effective LAS migration or\n            modernization plan. SBA agrees with the four findings of the report and will act on the\n            Five recommendations supporting the findings.\n\n\n\n            Cc: Mr. Robert Seabrooks, Assistant IG for Auditing\n\x0c                                                                                                         APPENDIX B\n\n\n                                           REPORT DISTRIBUTION\n\n\nRecipient\n\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown ........................................................................................1\n\nGeneral Counsel.......................................................................................................3\n\nU.S. Government Accountability Office .................................................................1\n\x0c'